Mac Malware Evolves - No Install Password Required 374
An anonymous reader writes "The latest versions of the Mac Defender malware attacks no longer require users to enter their admin credentials (username and password) upon install. A threat called 'Mac Guard' installs itself into areas of the Mac OS X system that only require standard user privilege. On Windows the criminals did this to avoid UAC warnings, and have copied this trick to their Mac OS X releases."
Root access not needed (Score:3, Insightful)
Re:Root access not needed (Score:4, Informative)
It's an ongoing joke, he's been challenged to use the word "ladyboy" in every comment he makes.
Comment removed (Score:5, Insightful)
Re: (Score:3)
Oh, wait a tick, that hasn't been true for nearly FIVE years now since on Vista and 7 both run IE under low rights mode something even Linux doesn't have.
sudo -u $browseruser /usr/bin/firefox
Just create a seperate user for browsing if you dont want the browser messing around with your files. Sure, requires configuring sudoers, but not exactly rocket science.
Re: (Score:3)
There's a glaring flaw in your reasoning.
Malware authors don't want to wreck your system. They want to get value out of your system. That doesn't need root.
No surprises here (Score:3)
Re:No surprises here (Score:4, Informative)
Re: (Score:2)
Security companies of all types release information about vulnerabilities...that's nothing new.
Sophos has been around for years and are widely acknowledged as a leader in security software...they simply aren't that well know in the US. Same goes for Kaspersky...been around for years, but the marketing giants of McAfee and Symantec are simply more well known in the states.
I'd rather someone out there let folks know about these issues when they find out and it never hurts if they also provide a solution.
If t
Re:No surprises here (Score:5, Interesting)
Re:No surprises here (Score:5, Insightful)
That's a little like saying "Oh just run noscript or make disable the java plugin" in the Windows world. Most end user have no clue what "safe files" are or what any of what you wrote means.
Not to mention, any web based exploit can install this malware now. It runs purely in userland. Java exploits, flash exploits, browser exploits, etc open the gate for this malware. Today its the safe files in Safari, tomorrow its one of dozens of Java exploits.
Its simply easier for end users to do updates and buy an AV than to dick around with settings they don't remotely understand. To Apple's benefit they're usually good about software updates and also update Java (at least for now).
Re: (Score:3)
Re:No surprises here (Score:5, Informative)
not just that, but the sophos article glosses over the fact that you still get
1. an operating system warning about executing a file downloaded from the internet (complete with reference to where it was downloaded from). They mention it in the text, but omit it in their "slideshow" showing the steps to getting infected.
2. an osx installer gui which means it can be canceled
What this is *not* is a hidden and silent install like what is going on with Windows.
Re:No surprises here (Score:5, Insightful)
You get those kinds of warnings in Windows too. Doesn't stop an idiot from being an idiot, though.
Re:No surprises here (Score:4)
I find it interesting that they gloss over the fact that to completely avoid this all you need to do is turn off download safe files in safari, and/or not be stupid. Their solution is to purchase their anti-malware package for Mac.
So you're under the assumption that if you disable this particular setting, then you are now immune to all present and future malware on a Mac, correct? That proactive things like anti-virus or malware scanning are unnecessary, right? That the entire Mac malware threat ends with a single checkbox, is that about it?
You realize that nearly every time a piece of malware comes out for Windows that there's typically a single setting you can change to mitigate that one specific threat, right? Has that fact stopped criminals from finding new infection vectors?
The news here is not this one piece of software, or how it gets installed, or what it does, or how to stop it. The news is the fact that the professional malware authors are now targeting Macs, and they have the automated toolkits to do it. A little checkbox in your browser isn't going to change that fact.
Re: (Score:3)
Actually it says "open safe files after downloading". And specifies "Safe" files are movies, pictures, sounds, pdf's, text documents, disc images and other archive files. Nothing about running anything. And indeed, users are always asked for permission before actually "running" any code: the installer is just Apple's installer parsing an install script, and if that script contains any customized code, it will ask you for permission to run that too.
But all that is of course under the assumption that no explo
Re:No surprises here (Score:5, Insightful)
How about the comments in the last article from the fanboys screaming "BUT THEY NEED TO PUT IN THEIR PASSWORD UNLIKE SHITTY WINDOWS" and then modded up to +5 insightful.
Welcome to the new reality. I think they'll find that userland rights on any modern OS are pretty lenient and will allow for a great deal of scammy malware activities. Malware doesnt need to run in any system directory or open any low ports or anything.
Now is probably a good time to invest in OSX AV products.
Re: (Score:2)
> Why this is a corporate problem beats the hell out of me.
Why aren't you doing it?
Re: (Score:3)
That policy has probably changed now since Apple has publicly acknowledged the threat and announced a fix, as well as publishing how to remove it [apple.com]. That's their M.O. : nobody gabs until word comes down from the mother-ship.
Re: (Score:2)
Not only that but you still have to agree to install it. It requires no password because it's run at the user's authority but it must still ask to install.
Re: (Score:3)
Uh, guess what windows users do to install this:
http://en.wikipedia.org/wiki/MS_Antivirus_(malware) [wikipedia.org]
So they just have to mod it to show OS X style graphics and messages if they detect the OS is OS X.
Once there's enough news in the media about Macs getting infected, victims might ironically install the malware to protect themselves from it :).
PEBKAC (Score:5, Informative)
This still requires the user to deliberately install the malware. Since it's not compromising the system, but the user, it doesn't need privileges to do this.
Re:PEBKAC (Score:5, Funny)
Comments like that make me think you are not participating in the two minute hate.
Just embrace the hate of apple and join the group think.
Re: (Score:2)
Re: (Score:2)
That's what I've always liked about proper user versus management privileges on a computer- when the user who isn't the computer's owner or admin b0rks their account, you just nuke the account and recreate or just nuke the home directory, backing up only if they're important enough for it to cost you if you don't. Unfortunately, when the "admin" is the owner and only has user-level knowledge, they're probably not willing to nuke their own account, assuming they're not running with too many privileges in th
Re:PEBKAC (Score:5, Insightful)
On a somewhat-unrelated note, it still blows my mind when enterprise level IT still has users with full admin rights over the local workstation, as those machines constantly and continually get infected and reinfected through the ignorance of the users. Sure, it means that a user can add a local device more complicate than a printer without calling the helpdesk, but it also means that any piece of unauthorized software, whether the user intended to install it or not, or whether it's benign or malicious, gets on to the computer. When the IT department sets up the computers and privileges properly, and if the OS doesn't have local root exploits so large one can drive a Mack truck through, the user can do a lot less damage.
It's not entirely unsurprising. Telling the company owner that "We need to change the level of permissions everyone has on their machines, which means they won't be able to do this, this, and this." after the company owner and the entire user base is accustomed to having that level of permission doesn't typically get a go ahead flag from the company owner.
Re: (Score:2)
On a somewhat-unrelated note, it still blows my mind when enterprise level IT still has users with full admin rights over the local workstation, as those machines constantly and continually get infected and reinfected through the ignorance of the users. Sure, it means that a user can add a local device more complicate than a printer without calling the helpdesk, but it also means that any piece of unauthorized software, whether the user intended to install it or not, or whether it's benign or malicious, gets on to the computer. When the IT department sets up the computers and privileges properly, and if the OS doesn't have local root exploits so large one can drive a Mack truck through, the user can do a lot less damage.
That's funny because the only cases of malware being placed on computers where I work was done by the IT people themselves. None of us "plebes" have ever done so.
Re: (Score:2)
And now it can do less damage because it's running without admin privileges. Should be a lot easier to remove too.
Re: (Score:2)
For the small fraction of people that have more than one active account on their Mac, sure, but for most people it will do the same amount of damage.
Re:PEBKAC (Score:4, Interesting)
Just putting itself in the Applications directory doesn't do anything special, users still have to run it. The Applications directory isn't setuid or anything like that, it doesn't make the app run as root, it doesn't have anything to do with startup or anything else, you're just allowed to create files in the Applications directory.
As I pointed out elsewhere, the intelligent thing to do would be to install to the users home directory as most non-techie Mac users will NEVER look in their home directory and notice it, thats just someplace they don't generally have to go, thats what the Documents, Pictures, Music and other folders are for. Unlike the Applications directory where users are bound to be looking at least once in a while.
The end result would be the same, all its going to do is effect a single user.
Now if it was intelligent, it'd modify the plist of an existing app to take itself on as the app launcher, then start the real app itself, which would possibly be used by other users on the system. You wouldn't be able to do it to the Apple builtin apps as permissions still require you to be root to modify it, but some other app the user installed will be owned by them and modifiable.
Back when they were asking for a password, they should have been installing a kernel extension to cloak themselves and make removal without booting from a clean drive impossible.
This 'malware' is like most Mac users, its a joke, its not even a little bit impressive, it just happens to be the first one noticed.
Just wait until the Windows malware writers start putting some effort into OSX, THEN it'll get nasty.
Re: (Score:3)
This 'malware' is like most Mac users, its a joke, its not even a little bit impressive, it just happens to be the first one noticed.
Maybe we can say that using a Mac damages the brain so much that even the malware writers can't do a good job.
Re: (Score:3)
Until that userspace malware exploits something to elevate itself to root.
Just because it starts as a limited user doesn't mean it won't go somewhere :).
Re:PEBKAC (Score:4, Insightful)
The end result would be the same, all its going to do is effect a single user.
Can we retire this meme?
Nobody besides IT gives a shit if the trojan can hack into the kernel or system libraries. If it can run in user space it has access to my contacts, my photos, my browser history, my bookmarks, my email, my music, and pretty much every-fscking-thing I care about on the computer. It can send mail as me, post to websites as me, drop files in my downloads folder, and put stuff on my desktop.
I mean, great that it can't infest drivers and start servers below port 1024. But the primary user of the computer (the non-admin shlub who actually needs to get work done) is infected.
Re: (Score:2)
Re: (Score:2)
This still requires the user to deliberately install the malware. Since it's not compromising the system, but the user, it doesn't need privileges to do this.
Gee, users deliberately installing things that might be harmful for their computer? I can't ever see that happening....
Re: (Score:2)
Gee, users deliberately installing things that might be harmful for their computer?
Conventional antivirus software acts as a blacklist. Mac App Store acts as a centrally managed whitelist. Do you recommend either of these two approaches, or do you recommend a third one [tvtropes.org] that's less widely known?
Re: (Score:2)
(Well, there went a half-hour of my day.)
Re: (Score:3)
Stop bringing truth and facts into this.....
Re: (Score:2)
Clearly, then, this malware was engineered by Apple itself to cull from its userbase those that it felt were not worthy of their computing experience. I mean, seriously, no one who dares install apps from anywhere other than the App Store(TM) should be able to call themselves an Apple user.
Re:PEBKAC (Score:5, Insightful)
This still requires the user to deliberately install the malware.
Something like 97% of Windows malware infections these days are caused by users "deliberately" installing malware, and that's with Windows putting a lot more obstacles in the way of websites wanting to convince users they should install something malicious than Mac OS X does. Doesn't stop Windows malware infections from being a big selling point for Macs. (Even in the bad old days of Windows security, an awful lot of infections were due to users agreeing to install the malware.)
I am safe. (Score:5, Funny)
My PC can't get Mac malware.
Re:I am safe. (Score:5, Funny)
You laugh now, but it's only a matter of time before PCs become popular enough that malware writers start targeting them instead.
But, but... (Score:3)
But... but... weren't we all told that this isn't possible? I'm sure I've heard the rhetoric repeatedly before that if someone didn't bother porting some malware to Mac or Mozilla back when they had tiny market share, then it's some kind of proof that they're secure and it can't be done.
Re: (Score:3)
Re:I am safe. (Score:4, Funny)
Really? A Mac is not a personal computer? What kind of device is it, then? Perhaps a "different computer"? Also, why does the definition of what a Mac is relate to how long someone has been in a coma? Surely the presence of recently-comatose patients would not change the nature of the machine itself.
Re:I am safe. (Score:4, Informative)
Really? A Mac is not a personal computer? What kind of device is it, then?
Steve's computer.
Re:I am safe. (Score:4, Insightful)
It is a computer that is personal, not a Personal Computer.
"A computer that is personal".. that's the same thing as a personal computer. So a Mac is, in fact, a personal computer. So it's not incorrect to refer to one as a PC, if you're into the whole brevity thing.
I know you and the dumb-shits wasting mod-points on this conversation are not this ignorant.
You're right, I'm not ignorant, I just don't base my definitions on marketing drivel, thank you very much.
Re:I am safe. (Score:4, Informative)
My goal has nothing to do with karma on Slashdot, I'm pretty sure it's already as high as it can go (half the time I don't even see scores next to anyone's posts, I haven't bothered to look into why). Yes, I checked the link. I realize that people commonly use "PC" to refer to Windows, for whatever reason. That still doesn't mean that it's incorrect to refer to a Mac as a PC. We've established that a Mac is in fact a personal computer. How much longer did you want to argue about this?
Re: (Score:3)
Didn't say Karma, I said the word Insightful next to your post.
If that was something I cared about, you would probably see me quote my own posts in my signature.
I'm not confused about anything here. I don't go around referring to my computer as a "tower", I don't refer to all soft drinks as "a Coke", and when I'm talking about a particular operating system I just name it instead of using ambiguous terms.
Less damaging (Score:3)
So that means it's now running with only user privileges instead of admin rights, which seems like a slight improvement for those dumb enough to install it.
Re: (Score:2)
Theres no reason the malware cant install in usermode, and also attempt an elevated install for real rootkit goodness.
Re: (Score:2)
True but if they were capable of using a real exploit wouldn't they do so directly ? The more work these asshats have to do to get into the system the more chance there is of detecting and/or stopping them at some intermediate point.
Re: (Score:2)
So that means it's now running with only user privileges instead of admin rights, which seems like a slight improvement for those dumb enough to install it.
It also means that whatever files exist and whatever changes are made live somewhere in that user's profile.
The Windows malware that does this is annoying because it can sneak in without admin rights... But it is easily removed by simply logging in as a different user and deleting the infected profile.
Re: (Score:3)
So that means it's now running with only user privileges instead of admin rights, which seems like a slight improvement for those dumb enough to install it.
Not when it logs your banking passwords and sends them to the Russian Mafia. Most of the things that malware wants to do can be done in user mode as well as admin.
Re: (Score:2)
Sure but if your kid installs this under his/her account then mommy & daddy are still safe, for now at least. And it'll be a lot easier to purge something that didn't have admin rights from the system.
Good News for the App Store (Score:5, Interesting)
Re: (Score:3)
It'll never happen. A lot more mac users are power users than the stereotypes suggest and these people just wouldn't accept it. At most they could go with an opt-out system. Otherwise I think app-stores are more of a positive evolution than people give them credit for, when they are not shoved down your throat that is. The signing of software to guarantee that it hasn't been modified or tampered with is a no-brainer, a bit like having shrink-wrap around a box-set of physical media.
Re: (Score:2)
Then they would lose a good deal of their user base.
Unlike popular believe lots of Mac users are actually geeks working in the software industries.
Unless Eclipse, Tomcat, the Spring Framework etc. etc. is all available via an Appstore: FOR FREE ... such a move would be a very bad idea.
angel'o'sphere
Good (Score:2)
Re: (Score:3, Insightful)
Hi profile attacks that occur in user space help to underscore that the obsession OS vendors have with admin access doesn't do much of anything to prevent a machine from being compromised -- it only serves to give users a false sense of security.
I have a hard time completely dismissing privilege escalation. There is still some value in being able to separate user data from the system proper - if only to make clean-up easier. But I do completely agree with the overall lesson here. An overly simplified view of security might very well overlook the fact that there's still a lot of value with operating in the context of an unprivileged user. And as such, users should remain wary whenever they're acting outside the boundaries of their local environ
Re: (Score:2)
Real issue (Score:2, Informative)
The only real issue is the "auto-download safe content" default option in Safari.It should'nt be enabled by default. Just uncheck it.
Another case of iClicitys (rush of advertisement clics generated by apple buzz)
The difference (Score:3)
So instead of installing into /Applications, which does require an admin username and password, it now likely installs somewhere in the user's home folder, which doesn't require admin authorization. This means the problem would be isolated to that particular user's account.
Re:The difference (Score:5, Insightful)
This means the problem would be isolated to that particular user's account.
For many home users, that is all that really matters. We are not talking about an enterprise setup here, we are talking about some person's laptop. Frankly, in an enterprise setup I would be surprised if user home directories were not mounted with noexec (or whatever such an option would be called in Mac OS X), which would thwart this problem.
Re: (Score:2)
Frankly, in an enterprise setup I would be surprised if user home directories were not mounted with noexec (or whatever such an option would be called in Mac OS X), which would thwart this problem.
It would reduce the problem, not eliminate it. Just because you can't run $HOME/malware.sh directly doesn't mean you can't 'bash $HOME/malware.sh'.
Re: (Score:2)
Even for enterprise users (Score:3)
The "BUT IT DOESN'T INFECT THE SYSTEM!" screaming is just a geek defense mechanism that shows ignorance of how computers are actually used. Nobody at work gives a shit about the system. They don't care about the OS, the applications. They've learned that we, the IT people, can get that all back and running quickly. None of it matters to them.
What matters is their data. That is what they want, what they worry about. From the important, like actual work, to the trivial like bookmarks and backgrounds, that is
Re: (Score:2)
Except it will probably infect a trusted executable, and then when the trusted executable asks for elevated privileges nearly everyone will allow it to have them.
Re: (Score:2)
So instead of installing into /Applications, which does require an admin username and password, it now likely installs somewhere in the user's home folder, which doesn't require admin authorization. This means the problem would be isolated to that particular user's account.
And this is ok? When you consider that most systems that are not servers have only one or two users, the fact that it's limited to one account doesn't mean much of anything all. That's one account having its passwords and cc info gleefully distributed, among other things. Do you really think it matters that the admin account has not been compromised? (yet - once installed it's trivial to trick the user into providing admin access)
Apple is patching anyway (Score:2)
So either the patch will already recognize and remove this, or they will have to issue another little update to take care of it completely. Given that they are not compromising any privileges, stopping this should be ridiculously easy. Why are these guys even bothering?
Unless perhaps they are trying to get an installed base with the current package, which can then perhaps help with a real exploit - e.g. directing a browser to a website that exploits a real vulnerability.
Re: (Score:3)
Or they want to infect a trusted file, or more likely, the user info they want will resides in the users directory.
For the most part, modern attackers don't want to damage your computer, they want to get personal info. CC numbers and the like.
IT's best for them if there attack as no noticeable impact on a system.
That will be the most interesting aspect (Score:2)
I'm really curious just what Apple will do in a patch to prevent this. You could of course recognize one variant, but you can't easily find an infinite number of variations... especially when there's so little difference between a trojan and some application that is meant to be downloaded and run.
The funny thing is currently the absolute safest recommendation you can make to a Mac user to keep them safe is to NOT install any anti-virus software.
Does this make it easier to remove? (Score:2)
Does the principle apply to Linux? (Score:3)
Does the principle apply to Linux? If yes, then it matters, for nerds, for real. ;)
Re: (Score:2)
Does the principle apply to Linux? If yes, then it matters, for nerds, for real. ;)
If you download and run random programs on any OS I've used you're vulnerable to malware. You could partially mitigate it by mounting /home as noexec, and you could probably use SELinux to prevent users from running any applications from /home, but that's a pain.
Re: (Score:2)
you could probably use SELinux to prevent users from running any applications from /home, but that's a pain.
How is that a pain? Have you ever tried it? In Fedora, it is a matter of setting an SELinux boolean (allow_user_exec_content) and setting the user as user_u. This is literally two things to click on in the SELinux GUI tool, or two commands to run in a terminal. This might annoy users who want to do things like write scripts, but if your goal is to defend against this kind of malware, then that is what you have to do.
Of course, most home users are unaware of noexec/SELinux and would need the family
Re: (Score:2)
How is that a pain?
If you're not using a Fedora-based OS then SELinux probably doesn't work, and any competent Unix user probably has a bunch of scripts in $HOME that they use to do random things; I certainly do. I could put them in /usr/local/bin instead but that's a pain in itself.
You also need to ensure that /tmp and /var/tmp are noexec, which Ubuntu, at least, seems to dislike. On the plus side, /tmp is normally a RAM disk so any malware installed there will vanish at the next reboot.
Re: (Score:2)
If you're not using a Fedora-based OS then SELinux probably doesn't work,
Well, there is also AppArmor, TrustedBSD, TrustedSolaris, etc. The real point here is that mandatory access control does not have to be a hard thing to use, especially if you are trying to do something common like prevent a particular user from executing programs in their home directory. I cannot comment much on how easy AppArmor/etc. are to use, since I have not actually used them.
You also need to ensure that /tmp and /var/tmp are noexec, which Ubuntu, at least, seems to dislike.
That screams "problem" to me, but theoretically an SELinux policy could be written to allow this for whatever specific pr
Re: (Score:2)
The said, as a savvy user, I'm also not dumb enough to run random programs off of the internet, so I don't lose sleep from being able to execute stuff from
Re: (Score:2)
Under linux you have to download it, turn on the execute bit and set the permissions and THEN execute it.
Nope no chance in hell that a user will fall for this under linux. if they launch random crap they will never be able to set it to execute.
Re: (Score:2)
Under linux you have to download it, turn on the execute bit and set the permissions and THEN execute it.
"To install the Cute Kitty screensaver, download malware.sh, open a Terminal window and type 'bash malware.sh'."
Yeah, it's a pain, but more than a few people will do it in order to see cute kitties or b00b13s. The only way to stop them from doing it is to ensure they can't run anything that isn't in a system directory.
And, even then, they'll still install random Firefox plugins which don't require execute permission or root access.
Re: (Score:2)
$sh [insert script name here]
No execute bit needs to be set.
Need proof?
$vi test
#!/bin/bash
echo "This is a test"
:x
./test ./test: Permission denied
bash:
Looks promising. Now lets tell bash to run that script without setting the execute bit.
$sh test
This is a test
Yep, it executed.
Re: (Score:2)
Re: (Score:2)
Does the principle apply to Linux? If yes, then it matters, for nerds, for real. ;)
Here's how to find out: ./a.out
$ cat > nasty.c
#include <stdio.h>
void main() { puts("Oh No! The sky is falling!\n"); }
$ gcc nasty.c
$
If your Linux prints "Oh No! The sky is falling!" then yes you have the OMG, my computer lets me run code in user mode! vulnerability. Remain calm - walk (don't run) to your local Apple store and buy an iPad, which is safely locked down so that you can't run any old code on it, even if you want to.
So what's it to be folks? Should the Holy Jobs lock down OS
NB (Score:2)
PS: I know I shouldn't have put "void" in front of "main" but its 15 years since I wrote any serious C, and malware is supposed to be badly-written, isn't it?
This is the evolution of criminality (Score:5, Insightful)
The malware is evolving from taking advantage of bugs in Windows, to social engineering. I had malware scanning on my PC because malware could get in the back door via services and other areas. Now, they are installing it right in front of your face trying to masquerade as something else.
They are going from the thief in the night who exploits the bad lock in the back door, to walking in the front door acting like the delivery man and given the run of the building by unsuspecting human beings. They are no longer exploiting Windows or Mac OS X... they are exploiting the users directly and making it look like it's the OS's fault.
I've seen plenty of PCs pwned by this type of malware, and it wasn't Windows fault in those situations either, the user simple installed something that took over the system.
Re: (Score:3)
I think another point might be that the malware is evolving from doing things which might require system-wide admin privileges, to just doing things which require lower levels of access.
My first thought when I saw an article posted on Ars Technica yesterday, about this change in the malware, was, "But, wouldn't that mean the malware has to run at lower privilege levels"?
Then I realized that something running at "user" privilege levels instead of root, can still be bad. It could probably still keylog that pa
It still requires the user to click through (Score:3)
You are still required to click through an install wizard, so this is in no shape or form an install performed without the user.
Re: (Score:2)
is that OS X install wizard build by the OS?, or is it an executable coded by the malware author? if the answer is true to the last question, why is needed to continue the install wizard?, the malware author can add code before opening it to install anything they want even if you press cancel
The problem is Safari setting to open "safe" files automatically, that is the most dumb thing a browser can do
So uh... (Score:4, Insightful)
Where, exactly, is this going to hide from htop, top, ps or any other process listing facility?
Unlike Windows, OSX and Linux and every other sane OS in the universe, there is no such thing as a "hidden process."
As a user process, it also cannot patch top, ps, or htop, or any other process lister. It cannot fuck with logs. It cannot do anything at all that the ordinary user cannot do. Indeed it runs under the same UID as the logged in user.
ps -uax | grep $USER
OH HEY GUYS THAT LOOKS WEIRD
killall -9 $SUSPICIOUS PROGRAM
rm $PATHTOSUSPICIOUSPROGRAM/SUSPICIOUSPROGRAM
And not even have to have a # in your prompt. No sudo, no su, no nothing.
Go on with life
Wow. That's...difficult.
--
BMO
Re: (Score:2)
With tricks like this Howto change a UNIX process and child process name by modifying argv[0] [uofr.net]
For example sendmail change it to this "sendmail: accepting connections"
Re: (Score:3)
oops I forgot, when the malware is installed, it can just change all your init session scripts, prepend a directory to your PATH, install new versions of ps, top, htop, kill,.... not impossible to detect, but it can hide itself a little more that simple running ps and kill
Re: (Score:3, Informative)
Yes, I can clearly see my mom running that on her laptop...
This is a problem for the random user, not for the geeks who know what ps, grep and piping are used for.
Re: (Score:3)
Unlike Windows, OSX and Linux and every other sane OS in the universe, there is no such thing as a "hidden process."
There are no hidden processes in Windows, only those which the task manager will not display. Get process explorer, it's free.
Re: (Score:3)
So here's the question:
Why won't task manager show hidden processes?
Why do I have to rely on a third party (Sysinternals) now bought by Microsoft, just so I have the ability to see these things?
What are you talking about? Task manager shows the same processes as process explorer. Did you miss the "show processes for all users" button?
Only your own folder? Still... (Score:3)
That seems like it's not really any protection at all. Most Macs are likely single user setups anyway. Sometimes, sure, you'll have some other users on the machine, but most of them are likely just tied to one user.
To that one user, their files are the critical component of the machine. If they bought the machine, they have the reinstall discs for the OS, plus those of any upgrades. Annoying? You betcha. But if they haven't been backing up their files (shame on them) then having to reinstall the OS is the LEAST of their worries.
And this of course goes for Windows and Linux installs as well. And really, even in a multi-user/single-machine scenario, while the damage is limited, it is still potentially devastating for the user involved. And again, for many (most?) installs, there's only one user that matters anyway.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Not a lot of virii, Trojan.OSX.RSPlug was it for a while.
Re:More damaging for Apple than most think... (Score:4, Insightful)
The vast majority of Windows infections also come from viruses that "must be installed". Not 100% obviously, but if you take out the ones that infected users months after patches were released, and the ones where users clicked through a UAC prompt to install anyway, you end up with a very very small sample.
Its all about social engineering now.
Re:More damaging for Apple than most think... (Score:5, Insightful)
The problem with this assessment is that it's the exact same assessment that OS X has been receiving for the past 6 years whenever a new Trojan pops up. And no, this trojan really isn't any different than its predecessors. I'm not trying to defend OS X as the almighty glorious Mac Master Race computer, but it's a little ridiculous to see this cycle every time an OS X Trojan pops up (and they've pretty much all been trojans -- IIRC, a few were classified as worms, but I really don't remember clearly):
1. Malware appears for OS X
2. AV companies advertise it wildly
3. Journalists/"Analysts" declare that age of Innocence for OS X is over, no longer "immune" to Malware
4. Message Board users declare the end of OS X/Catastrophic damage
5. Time passes and reality sets in -- the Malware/Trojan fails to reach any noticeable level of threat
Again, this isn't to say OS X is immune. Absolutely not. But every time a bit of Malware appears, this exact cycle happens -- and OS X and Apple's sales only go up.